Merge lp:~jamestait/canonical-identity-provider/if-you-dont-ask-you-dont-get into lp:canonical-identity-provider/release

Proposed by James Tait
Status: Merged
Approved by: Ricardo Kirkner
Approved revision: no longer in the source branch.
Merged at revision: 856
Proposed branch: lp:~jamestait/canonical-identity-provider/if-you-dont-ask-you-dont-get
Merge into: lp:canonical-identity-provider/release
Diff against target: 151 lines (+71/-27)
2 files modified
identityprovider/tests/test_views_server.py (+65/-23)
identityprovider/views/server.py (+6/-4)
To merge this branch: bzr merge lp:~jamestait/canonical-identity-provider/if-you-dont-ask-you-dont-get
Reviewer Review Type Date Requested Status
Ricardo Kirkner (community) Approve
Review via email: mp+163894@code.launchpad.net

Commit message

Ensure that the attributes returned in the responses for AX and SReg were actually requested via that method, rather than returning all approved attributes in both responses.

Description of the change

Ensure that the attributes returned in the responses for AX and SReg were
actually requested via that method, rather than returning all approved
attributes in both responses.

To post a comment you must log in.
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

l. 92-97: this could be rolled up in a single loop instead

approving anyway, as it's not critical to fix.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'identityprovider/tests/test_views_server.py'
2--- identityprovider/tests/test_views_server.py 2013-05-06 08:52:33 +0000
3+++ identityprovider/tests/test_views_server.py 2013-05-15 11:50:44 +0000
4@@ -31,6 +31,7 @@
5
6 import identityprovider.signed as signed
7 from identityprovider.const import (
8+ AX_DATA_FIELDS,
9 AX_URI_ACCOUNT_VERIFIED,
10 AX_URI_EMAIL,
11 AX_URI_FULL_NAME,
12@@ -192,37 +193,84 @@
13 self.assertEqual(query['openid.ax.value.account_verified.1'],
14 'token_via_email')
15
16- def test_handle_user_response_auto_auth_large_response(self):
17+ def test_handle_user_response_auto_auth_large_ax_sreg_response(self):
18 # Make sure we get a large response
19 self.account.displayname = 'a' * OPENID1_URL_LIMIT
20 self.account.save()
21- self._test_auto_auth()
22+ self._test_auto_auth(ax=['email',
23+ 'account_verified',
24+ 'language'],
25+ sreg=['fullname'])
26
27- def test_handle_user_response_auto_auth_borderline_response(self):
28+ def test_handle_user_response_auto_auth_borderline_ax_sreg_response(self):
29 # Make a response that's small enough that it fits in a redirect before
30 # signing, but large enough that it will need a POST after signing. We
31 # might want to come up with a more robust method of determining the
32 # required length, but this works for now.
33 self.account.displayname = 'a' * (OPENID1_URL_LIMIT / 2)
34 self.account.save()
35- self._test_auto_auth()
36-
37- def _test_auto_auth(self):
38+ self._test_auto_auth(ax=['email',
39+ 'account_verified',
40+ 'language'],
41+ sreg=['fullname'])
42+
43+ def test_handle_user_response_auto_auth_large_ax_only_response(self):
44+ self.account.displayname = 'a' * OPENID1_URL_LIMIT
45+ self.account.save()
46+ self._test_auto_auth(ax=['fullname'])
47+
48+ def test_handle_user_response_auto_auth_large_sreg_only_response(self):
49+ self.account.displayname = 'a' * OPENID1_URL_LIMIT
50+ self.account.save()
51+ self._test_auto_auth(sreg=['fullname'])
52+
53+ def _test_auto_auth(self, ax=None, sreg=None):
54 # update rp to auto authorize
55 self.rpconfig.auto_authorize = True
56 self.rpconfig.allowed_user_attribs = 'fullname,email,account_verified'
57 self.rpconfig.save()
58
59+ # Define expected values for each attribute
60+ expected_values = {
61+ 'email': self.email,
62+ 'account_verified': 'token_via_email',
63+ 'language': None, # disallowed by rpconfig
64+ 'fullname': self.account.displayname,
65+ }
66+ expected_fields = [
67+ ('openid.claimed_id', self.account.openid_identity_url),
68+ ('openid.identity', self.account.openid_identity_url),
69+ ]
70+ unexpected_fields = []
71+
72 self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
73- self.params.update({
74- 'openid.ns.ax': AXMessage.ns_uri,
75- 'openid.ax.mode': FetchRequest.mode,
76- 'openid.ax.type.fullname': AX_URI_FULL_NAME,
77- 'openid.ax.type.email': AX_URI_EMAIL,
78- 'openid.ax.type.account_verified': AX_URI_ACCOUNT_VERIFIED,
79- 'openid.ax.type.language': AX_URI_LANGUAGE,
80- 'openid.ax.required': 'fullname,email,account_verified,language',
81- })
82+ if ax:
83+ self.params.update({
84+ 'openid.ns.ax': AXMessage.ns_uri,
85+ 'openid.ax.mode': FetchRequest.mode,
86+ 'openid.ax.required': ','.join(ax)
87+ })
88+ self.params.update(
89+ [['openid.ax.type.%s' % alias,
90+ AX_DATA_FIELDS.getNamespaceURI(alias)] for alias in ax])
91+ expected_fields += [('openid.ax.mode', 'fetch_response')]
92+ expected_fields += [('openid.ax.value.%s.1' % k, v)
93+ for k, v in expected_values.iteritems()
94+ if k in ax and v is not None]
95+ unexpected_fields += [('openid.ax.value.%s.1' % k)
96+ for k, v in expected_values.iteritems()
97+ if k not in ax or v is None]
98+ if sreg:
99+ self.params.update({
100+ 'openid.ns.sreg': 'http://openid.net/sreg/1.0',
101+ 'openid.sreg.required': ','.join(sreg),
102+ })
103+ expected_fields += [('openid.sreg.%s' % k, v)
104+ for k, v in expected_values.iteritems()
105+ if k in sreg and v is not None]
106+ unexpected_fields += ['openid.sreg.%s' % k
107+ for k, v in expected_values.iteritems()
108+ if k not in sreg or v is None]
109 response = self.client.post(self.url, self.params)
110 self.assertEqual('text/html', response['Content-type'].split(';')[0])
111 dom = PyQuery(response.content)
112@@ -232,16 +280,10 @@
113 self.assertEqual('document.forms[0].submit();', body.get('onload'))
114 forms = dom.find('form')
115 self.assertEqual(len(forms), 1)
116- expected_fields = (
117- ('openid.claimed_id', self.account.openid_identity_url),
118- ('openid.identity', self.account.openid_identity_url),
119- ('openid.ax.mode', 'fetch_response'),
120- ('openid.ax.value.email.1', self.email),
121- ('openid.ax.value.fullname.1', self.account.displayname),
122- ('openid.ax.value.account_verified.1', 'token_via_email'),
123- )
124 for k, v in expected_fields:
125 self.assertEqual(v, forms[0].fields[k])
126+ for k in unexpected_fields:
127+ self.assertNotIn(k, forms[0].fields)
128 for k in ('openid.assoc_handle', 'openid.sig'):
129 self.assertIn(k, forms[0].fields)
130
131
132=== modified file 'identityprovider/views/server.py'
133--- identityprovider/views/server.py 2013-04-30 16:49:09 +0000
134+++ identityprovider/views/server.py 2013-05-15 11:50:44 +0000
135@@ -607,10 +607,12 @@
136 sreg_response = SRegResponse.extractResponse(
137 sreg_request, form.data_approved_for_request)
138 openid_response.addExtension(sreg_response)
139- ax_response = ax.FetchResponse(ax_request)
140- for k, v in form.data_approved_for_request.iteritems():
141- ax_response.addValue(AX_DATA_FIELDS.getNamespaceURI(k), v)
142- openid_response.addExtension(ax_response)
143+ if ax_request is not None:
144+ ax_response = ax.FetchResponse(ax_request)
145+ for k, v in form.data_approved_for_request.iteritems():
146+ if AX_DATA_FIELDS.getNamespaceURI(k) in ax_request:
147+ ax_response.addValue(AX_DATA_FIELDS.getNamespaceURI(k), v)
148+ openid_response.addExtension(ax_response)
149
150
151 def _process_decide(request, orequest, decision):